Patch Management

Nessus Manager can leverage credentials for the Red Hat Network Satellite, IBM BigFix, Dell KACE 1000, WSUS, and SCCM patch management systems to perform patch auditing on systems for which credentials may not be available to the Nessus scanner.

IT administrators are expected to manage the patch monitoring software and install any agents required by the patch management system on their systems.

Scanning with Multiple Patch Managers

If you provide multiple sets of credentials to Nessus for patch management tools, Nessus uses all of them. Available credentials are:

Credentials supplied to directly authenticate to the target

Dell KACE 1000

IBM BigFix

Microsoft System Center Configuration Manager (SCCM)

Microsoft Windows Server Update Services (WSUS)

Red Hat Network Satellite Server

Symantec Altiris

If you provide credentials for a host, as well as one or more patch management systems, Nessus compares the findings between all methods and report on conflicts or provide a satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to highlight patch data differences between the host and a patch management system.

KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. Nessus and SecurityCenter have the ability to query KACE K1000 to verify whether or not patches are installed on systems managed by KACE K1000 and display the patch information through the Nessus or SecurityCenter user interface.

If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it performs checks on that system and ignores KACE K1000 output.

The data returned to Nessus by KACE K1000 is only as current as the most recent data that the KACE K1000 has obtained from its managed hosts.

KACE K1000 scanning uses four Nessus plugins.

kace_k1000_get_computer_info.nbin (Plugin ID 76867)

kace_k1000_get_missing_updates.nbin (Plugin ID 76868)

kace_k1000_init_info.nbin (Plugin ID 76866)

kace_k1000_report.nbin (Plugin ID 76869)

You must provide credentials for the Dell KACE K1000 system for K1000 scanning to work properly. Under the Credentials tab, select Patch Management, then select Dell KACE K1000.

Option

Default

Description

Server

none

KACE K1000 IP address or system name. This is a required field.

Database Port

3306

Port the K1000 database is running on (typically TCP 3306).

Organization Database Name

ORG1

The name of the organization component for the KACE K1000 database. This component will begin with the letters ORG and end with a number that corresponds with the K1000 database username.

Database Username

none

Username required to log into the K1000 database. R1 is the default if no user is defined. The username will begin with the letter R. This username will end in the same number that represents the number of the organization to scan. This is a required field

K1000 Database Password

none

Password required to authenticate the K1000 Database Username. This is a required field.

IBM BigFix is available from IBM to manage the distribution of updates and hotfixes for desktop systems. Nessus and SecurityCenter have the ability to query IBM BigFix to verify whether or not patches are installed on systems managed by IBM BigFix and display the patch information.

If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore IBM BigFix output.

The data returned to Nessus by TEM is only as current as the most recent data that the IBM BigFix server has obtained from its managed hosts.

Credentials for the IBM BigFix server must be provided for IBM BigFix scanning to work properly.

Option

Default

Description

Web Reports Server

None

Name of IBM BigFix Web Reports Server

Web Reports Port

none

Port that the IBM BigFix Web Reports Server listens

Web Reports Username

none

Web Reports administrative username

Web Reports Password

none

Web Reports administrative username’s password

HTTPS

Enabled

If the Web Reports service is using SSL

Verify SSL certificate

Enabled

Verify that the SSL certificate is valid

Package reporting is supported by RPM-based and Debian-based distributions that IBM BigFix officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless IBM BigFix officially supports them, there is no support available.

For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, and Ubuntu are supported. The plugin Patch Management: Tivoli Endpoint Manager Get Installed Packages must be enabled.

In order to use these auditing features, you must make changes to the IBM BigFix server. You must import a custom analysis into IBM BigFix so that detailed package information is retrieved and made available to Nessus. Before beginning, save the following text to a file on the IBM BigFix system, and name it with a .bes extension.

Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Windows-based systems. Nessus has the ability to query the SCCM service to verify whether or not patches are installed on systems managed by SCCM and display the patch information through the Nessus or SecurityCenter GUI.

If the credentialed check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore SCCM output.

The data returned by SCCM is only as current as the most recent data that the SCCM server has obtained from its managed hosts.

Nessus connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service, meaning an admin account in SCCM with the privileges to query all the data in the SCCM MMC). This server may also run the SQL database, or the database as well as the SCCM repository can be on separate servers. When leveraging this audit, Nessus must connect to the SCCM Server, not the SQL or SCCM server if they are on a separate box.

Nessus SCCM patch management plugins support SCCM 2007 and SCCM 2012.

SCCM scanning is performed using four Nessus plugins.

Patch Management: SCCM Server Settings (Plugin ID 57029)

Patch Management: Missing updates from SCCM(Plugin ID 57030)

Patch Management: SCCM Computer Info Initialization(Plugin ID 73636)

Patch Management: SCCM Report(Plugin ID 58186)

Credentials for the SCCM system must be provided for SCCM scanning to work properly. Under the Credentials tab, select Patch Management and then Microsoft SCCM.

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter user interface.

If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore WSUS output.

The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

WSUS scanning is performed using three Nessus plugins.

Patch Management: WSUS Server Settings (Plugin ID 57031)

Patch Management: Missing updates from WSUS (Plugin ID 57032)

Patch Management: WSUS Report (Plugin ID 58133)

Credentials for the WSUS system must be provided for WSUS scanning to work properly. Under the Credentials tab, select Patch Management and then Microsoft WSUS.

Red Hat Satellite is a systems management platform for Linux-based systems. Nessus has the ability to query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.

Although not supported by Tenable, Inc., the RHN Satellite plugin will also work with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk has the capability of managing distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.

If the credential check sees a system, but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore RHN Satellite output.

The data returned to Nessus by RHN Satellite is only as current as the most recent data that the Satellite server has obtained from its managed hosts.

Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. Nessus and SecurityCenter have the ability to use the Altiris API to verify whether or not patches are installed on systems managed by Altiris and display the patch information through the Nessus or SecurityCenter GUI.

If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore Altiris output.

The data returned to Nessus by Altiris is only as current as the most recent data that the Altiris has obtained from its managed hosts.

Nessus connects to the Microsoft SQL server that is running on the Altiris host (e.g., credentials must be valid for the MSSQL database, meaning a database account with the privileges to query all the data in the Altiris MSSQL database). The database server may be run on a separate host from the Altiris deployment. When leveraging this audit, Nessus must connect to the MSSQL database, not the Altiris server if they are on a separate box.

Altiris scanning is performed using four Nessus plugins.

symantec_altiris_get_computer_info.nbin (Plugin ID 78013)

symantec_altiris_get_missing_updates.nbin (Plugin ID 78012)

symantec_altiris_init_info.nbin (Plugin ID 78011)

symantec_altiris_report.nbin (Plugin ID 78014)

Credentials for the Altiris Microsoft SQL (MSSQL) database must be provided for Altiris scanning to work properly. Under the Credentials tab, select Patch Management and then Symantec Altiris.

Credential

Default

Description

Server

none

Altiris IP address or system name. This is a required field.

Database Port

5690

Port the Altiris database is running on (Typically TCP 5690)

Database Name

Symantec_CMDB

The name of the MSSQL database that manages Altiris patch information.

Database Username

None

Username required to log into the Altiris MSSQL database. This is a required field.

Database Password

none

Password required to authenticate the Altiris MSSQL database. This is a required field.

Use Windows Authentication

Disabled

Denotes whether or not to use NTLMSSP for compatibility with older Windows Servers, otherwise it will use Kerberos

To ensure Nessus can properly utilize Altiris to pull patch management information, it must be configured to do so.